Skip to main content

OpenBao agent persistent caching

OpenBao Agent can restore tokens and leases from a persistent cache file created by a previous OpenBao Agent process. The persistent cache is a BoltDB file that includes tuples encrypted by a generated encryption key. The encrypted tuples include the OpenBao token used to retrieve secrets, leases for tokens/secrets, and secret values.

info

Note: OpenBao Agent Persistent Caching will only restore leased secrets. Secrets that are not renewable, such as KV v2, will not be persisted.

In order to use OpenBao Agent persistent cache, auto-auth must be used. If the auto-auth token has expired by the time the cache is restored, the cache will be invalidated and secrets will need to be re-fetched from OpenBao.

If OpenBao Agent templating is enabled alongside of the persistent cache, OpenBao Agent will automatically route templating requests through the cache. This ensures template requests are cached and restored properly.

info

Note OpenBao Agent persistent cache is currently supported only in a Kubernetes environment.

OpenBao agent persistent cache types

Please see the sidebar for available types and their usage/configuration.

Persistent cache example configuration

Here is an example of a persistent cache configuration.

# Other OpenBao agent configuration blocks
# ...

cache {
  persist "kubernetes" {
    path = "/openbao/agent-cache"
  }
}